[Snort-devel] http_gunzip preprocessor
frank at ...2134...
Thu Jan 5 11:33:08 EST 2006
On Thu, 2006-01-05 at 14:12 -0500, Eric Lauzon wrote:
> Case where you wont see anything:
"Seeing" is not "detecting" ;)
> to redirect you to a server where there is the WMF, even if the initial
> is "decompressed", where are you gonna be able to detect anything?
only detecting <script> and be done with it. You can't do that when the
page is gzip compressed in the HTTP stream. There is no <script>. If it
where uuencoded, you could potentially match on that (due to the nature
of the algorithm), but you can't do that with zip/compress/deflate
unless you follow it from the beginning, which means decoding on the
> One good example is :shellcode detection where after the birth of
> ADMmutate,ASCII shellcode encoding
> ,polymorphism , the only real way to detect shellcode is to have host
> based IDS that monitor process memory, process structure and Instruction
Yet we had fnord.
> The scope of should be writing a portion of code for a specific case
> just arised but has been exploited before why not think about an http
> module that
> can use sub preprocessor on the http stream this could then lead toward
> stream anomaly / state
I'm sorry, I'm not able to follow your sentence structure here. I *am*
talking about a module that sits behind the http_inspect thing and
further normalizes the stream.
> Im still convinced that most of the people wont read
> and will then complain, thee other half will try but will encounter
> huge performances issues.
How can you say that without even tried it? Please go do some analysis
of the compressed traffic actually present.
> Where is the trade off? A quick ""useless"" feature as of it wont help
> over other means of [...]
Useless to you perhaps.
Man, I'm sorry dude, I have to put on my plonker list. If you want to
discuss technical merits in earnest (which it doesn't look like), please
use a different address.
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel